Article delegate-en/4388 of [1-5113] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:]  
Re: ftps fails to work with client side ssl
Sat, 07 Mar 2009     Yutaka Sato

Hi,

In message  on 02/27/09(17:22:56)
you pdeiqbdyi-6nsez64hvsqb.ml@ml.delegate.org wrote:
 |> As long as I know, FTPS using port #990 applies SSL without any
 |> negotiation and nothing to do with RFC2228.
 |
 |It seems like the FTPS clients I tried (Filezilla and lftp so far) expect
 |an un-encrypted data channel by default.  Given that lftp implements an
 |option "ftps:initial-prot" it seems like the authors are expecting a PROT
 |command to be supported on the server.  I am just speculating (not having
 |read the source code for lftp) but my guess is that if delegate in FTPS
 |mode provided a PROT command, lftp in FTPS mode would try to use it.

If so, it is a little strange that lftp sends PBSZ which is not listed
in the response by DeleGate to the FEAT command.
I tested just adding PBSZ and PROT to the list unconditionally but the
behavior of lftp did not change [--1]
And with "set ftps:initial-prot P", lftp starts SSL for data-connection
without negotiation (without sending PROT) [--2]

By the way, I uploaded DeleGate/9.9.2-pre4 with some modifications to
improve support for FTPS.

 1) timeout in SSL detection on FTPS data connection
   - to cope with FTPS clients with/without SSL for data-connection
   - the default timeout is 10 seconds
     - it is shorter (0.1 seconds) if specified as optional with STLS="-fcl"
     - it is yet shorter (0.01 seconds) with "PBSZ 0" and without "PROT P"
   - the timeout can be specified explicitly as STLS="fcl,im0.3" for example

 2) support for "PROT C"
   - permitted if specified as optional with STLS="-fcl"

 3) automatically allowing protocols for MOUNTed target server
   - explicit REMITTABLE="+,ftp" has become unnecessary

 4) ending lines of MOUNTed banners with CRLF
   - recent lftp does not work if they end with LF only

 5) don't split large status response into multiple SSL records
   - "Transmit3" stalls on such response

And I noticed that recent lftp warns disconnection without SSL shutdown
alert (although it is not rejected as in FileZilla) as [--3].
So I think it might be better to let "TLSCONF=shutdown" be enabled by default
at least in FTP-DeleGate as [--4].

Cheers,
Yutaka
--
  9 9   Yutaka Sato http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

--1
  $ lftp -d ftps://192.168.1.1:9999
  ...
  ---> FEAT
  <--- 211-Extensions supported
  <---  MDTM
  <---  SIZE
  <---  EPSV
  <---  EPRT
  <---  PBSZ
  <---  PROT
  <--- 211 END
  ---> USER anonymous
  <--- 331- Guest login ok, enter your E-mail address as password.
  <--- 331  Default value is: ?
  ---> PASS lftp@
  <--- 230- Guest login ok, your E-mail address is 
  <--- 230  Now you can select a FTP SERVER by cd //SERVER
  ---> PWD
  <--- 257 "/" is current directory.
  ---> PBSZ 0
  <--- 200 OK
  ---> PASV
  <--- 227 Entering Passive Mode (192,168,1,1,202,187).
  ---- Connecting data socket to (192.168.1.1) port 51899
  ---- Data connection established
  ---> LIST
  <--- 150-- LIST for anonymous@ftp.delegate.org.
  ...
  <--- 150--  @ @
  <--- 150  \( - )/ -- { connected to `ftp.delegate.org' }
  ...
  ---- Got EOF on data connection

--2
  ---> PBSZ 0
  <--- 200 OK
  ---> CWD /pub
  <--- 250-- CWD for anonymous@ftp.delegate.org.
  ...
  ---> PASV
  <--- 227 Entering Passive Mode (192,168,12,254,202,213).
  ---- Connecting data socket to (192.168.12.254) port 51925
  ---- Data connection established
  ---> LIST
  <--- 150 Opening ASCII mode data connection for LIST (583 bytes).
  Certificate: O=...

--3
  <--- 226 Transfer complete (111 bytes)
  gnutls_record_recv: A TLS packet with unexpected length was received.; assuming EOF
  ---- Got EOF on data connection
  ---- Closing data socket

--4
*** dist/src/delegate9.9.2-pre4/src/delegated.c	Thu Mar  5 23:13:55 2009
--- ./src/delegated.c	Sat Mar  7 06:04:03 2009
***************
*** 6534,6539 ****
--- 6534,6542 ----
  	}
  
  	defineAdminSTLS(Conn);
+ 	if( streq(iSERVER_PROTO,"ftp") || streq(iSERVER_PROTO,"ftps") ){
+ 		scan_TLSCONF(Conn,"shutdown");
+ 	}
  	if( getEnv(P_STLS) )
  	if( doneCRYPT == 0 && withDGA == 0 ){
  		sv1log("scan STLS and FILTERS before beDaemon()...\n");
  search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V